Hi Steve,
The account is my own user account and I can ssh to it.
I currently have iptables off.
I do have:
ftpd: ALL
in /etc/hosts.allow
and
ALL: ALL: banners /etc/banners
in host.deny (again, I can ssh into the node just fine).
Thanks for the reply.
This problem is puzzling to me.
I tied added the -v option (actually -v -v -v just in case) to
server_args in xinetd.d/gssftp. I just get the additional info of
importing the ftp and host principal info (from the keytab).
In my /etc/krb5.keytab file I do see something a bit strange:
The KVNO for the ftp entry is 3 while the host line has KVNO 6.
--Ron
Steven Timm wrote:
Does the account that you are trying to ftp into on the
server side have a valid shell? is that shell listed in /etc/shells?
Is ftpd open in the iptables on the server side, and in /etc/hosts.allow,
hosts.deny?
Steve
On Thu, 30 Jul 2009, Ron Rechenmacher wrote:
Hi,
I'm having trouble connecting to a SLF5 kerberized ftpd from an SLF5
kerberized ftp client.
On the server, I'm using:
rpm -qf /usr/kerberos/sbin/ftpd
krb5-workstation-1.6.1-31.el5_3.3.x86_64
On the client, I'm using:
rpm -qf rpm -qf /usr/kerberos/bin/ftp
krb5-workstation-1.6.1-31.el5_3.3.x86_64
On the client side, I get:
...
GSSAPI error major: Unspecified GSS failure. Minor code may provide
more information
GSSAPI error minor: Permission denied
GSSAPI error: acquiring credentials
GSSAPI ADAT failed
GSSAPI authentication failed
...
and on the server side, in /var/log/messages, I get:
...
ftpd[25305]: gssapi error acquiring credentials
...
I do have a valid ticket! and I can connect to another SLF5 node, so
it seems to be a server issue.
I've tried looking at the kdc logs on fnalu...
I use to be able to "tail -f" the log in the tmp directory but now I
can just see a log file that seems to be several hours old. In that
log file, however, I do see an "ISSUE:" line for my server, so it
would appear that I do have a valid ftp principal.
Any suggestions?
Thanks,
Ron